XxR5
Background: Know: VLANs , Recognize: Anticipates: Configuration management, SNMP Terminology Ports can be configured to carry multiple vlans. These are called trunk ports in Cisco parlance or just tagged ports by other vendors. Alteon/Nortel/BNT use "trunk" to indicate an aggregation of links, rather than a vlan tagged link. In Cisco terminology a link consisting of an aggregate of multiple ethernets is called an Etherchannel or Portchannel. We will use the Cisco terminology in this article. By definition, a vlan trunk carries more than one vlan, otherwise it would not be a (Cisco) trunk. The configuration of a trunk port defines what vlans are allowed on the link. This type of link is used to extend multiple vlans between switches. Configuration protocols When switches are connected together with trunks that allow vlans that span several switches, vlan distribution protocols are used to maintain conistency between the switches so that, for example, vlan 555 is the same vlan on each switch. This avoids any confusion as to which vlan is which and allows a single point for configuration of the vlan, instead of having to configure it on each switch independently. BNT switch.jpg|BNT Switch|link=http://www.bladenetwork.net/userfiles/file/PDFs/VFSM_CR_6-5.pdf Juniper EX switch.jpg|Juniper EX Switch|link=http://www.juniper.net/us/en/products-services/switching/ex-series/ex8200/ Catalyst 6509-VE.jpg|Cisco Catalyst 6509-VE|link=http://www.cisco.com/en/US/products/ps9306/index.html The vlan distribution protocol used by Cisco is called VLAN Trunking Protocol (VTP). A switch configured in a particular VTP domain shares its vlan information with all switches in the same domain via the trunks between the switches. This allows, adds, moves and changes to vlans to be made network wide. VTP capable switches can be configured in server, client or transparent modes. In server mode a VTP switch can add, delete or modify a vlan within the domain, in client mode it can not make any changes to the domain. In transparent mode a switch does not participate in VTP, but it will forward VTP frames between other connected switches that run VTP. A feature of VTP is pruning of vlan information. In Ethernet switches broadcast and unknown unicast traffic is flooded to all ports in the vlan it originates from. If a switch has a trunk in the vlan but no server ports in the vlan, pruning will stop unnecessary flooding of the switch by this type of traffic. It is important to remember that VTP is a proprietary Cisco protocol. Other vendors who make switches needed a different but similar mechanism to pass messages between switches. The IEEE defined the Generic Attribute Registration Protocol (GARP in the 802.1ak ammendment to 802.1) to do this, but it was found to have some deficiencies with convergence and failover. It was replaced by the Multiple Registration Protocol (MRP) in 2007 and the vlan variant MVRP is used by Juniper on its EX series switches. Cisco also support MVRP for interoperability with other vendors. MVRP does not support pruning. Other Management Interfaces The protocols above manage addition, deletion and changes to vlans on a network wide basis, but even with these protocols the change has to made in at least one place on the network before it can be distributed. Typically these changes are made through the command line interface or GUI interface to the network device operating system. Most network administrators prefer the command line as it is generally faster and more fully featured, although some network devices (e.g. Juniper ''Netscreen firewall) have a GUI that is equally useable as the command line. The command line interface typically uses telnet or ssh (more secure) and may also support different terminal emulation modes. Usually access is via IP over ethernet but most devices also support serial connection for terminal access. Other methods used to modify network device configuration include SNMP with write access and/or downloading the configuration file using a file transfer protocol (tftp, ftp, sftp or scp), modifying the configuration file and then uploading the modified configration file and reloading it into the device. Some vendors (''F5, Cisco, Juniper) also provide proprietary network element management systems providing centralised management and configuration control. Vlan configuration When configuring a vlan, each vlan is given a number. The vlan number is the minimum configuration needed to create a vlan. Most switches will support 4096 user configurable vlans, with some vlans being reserved for the switch (internal vlans or reserved vlans). Often the vlan is also given a descriptive name as well. A typical configuration to create and name a vlan on a Cisco switch is: vlan 565 name Web-Server-Farm The next step in configuring a vlan is to use the created vlan. On a Cisco device this would entail assigning the vlan to an interface, for example: Interface ethernet1/9 switch-mode access vlan 565 This configuration defines the port as a switch port in vlan 565, as opposed to, say a router port, or a switch port in trunk mode. Configuration of a dot1q trunk interface would look like this: Interface ethernet1/9 switch-mode trunk dot1q switch trunk allow 565, 580-599 Note that the vlan is assigned to the port, but it would be just as valid to assign the port to the vlan, as Alteon did and as is now followed by Radware and BNT who inherited the Alteon OS. So for example, on a BNT switch, a configuration to add port 12 into vlan 565 would be: /config/layer 2/vlan 565/add 12 To make the BNT port into a Cisco type trunk, or in BNT terminology a tagged port, you need to enable tagging and then add the port to more vlans: /config/port 12/tag enable /config/layer 2/vlan 565/add 12 /config/layer 2/vlan 580/add 12 /config/layer 2/vlan 581/add 12 ... /config/layer 2/vlan 599/add 12 On a Juniper EX switch, the command line uses a set syntax. The following commands create vlan 100 (named sales) and assigns port ge-0/0/0 to this vlan. user@switch# set interfaces ge-0/0/0 unit 0 description “Sales wireless access point port” user@switch# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members sales user@switch# set vlans sales vlan-id 100 The following command shows the result of the above configuration user@switch> show vlans Name Tag Interfaces sales 100 ge-0/0/0.0* Vlan Interfaces No discussion of vlan configuration would be complete without talking about vlan interfaces. Many Layer 2 switches can also operate as Layer 3 (IP) routers. Vlan interfaces are Layer 3 interfaces with IP addresses and possibly IP access lists (or any other feature associated with router interfaces), which have a very special quality. The single vlan interface is present on every port that is configured in the same vlan. In fact it is a virtual IP interface that is defined within the switch and allows every other device connected in the vlan to use it as a gateway into the rest of the network, which is very useful for server farms or other applications where a large number of devices need a single gateway to access. Using vlan interfaces on Layer 2/Layer 3 switch combines both routing and switching in the one device which provides a very fundamental utility for network designers. To configure a vlan interface on a Cisco switch/router, the syntax is: Interface Vlan565 description Gateway for web server farm ip address 10.156.16.1/24 Protocol-based vlans It is possible to configure some switches to seperate traffic into separate vlans based on protocol. In most cases this is done on layer 2 protocols, for example a BNT switch can differentiate traffic based on *Frame type **Ether2 (Ethernet II) **SNAP (Subnetwork Access protocol) **LLC (Logical Link Control) *Ethernet Type - consists of a 4 digit (16 bit) hex value that defines the ethernet type. Commonly used values are: **IPV4 0800 **IPV6 86dd **ARP 0806 These vlans are subsets of the dot1q vlan and are defined within each individual vlan created above. Separating traffic into different vlans based on protocol provides an avenue to apply different QOS priorites based on Layer 2 attributes without classifying the traffic at Layer 3. Dynamic vlan membership can be based on layer 2 protocols or on authentication mechanisms, for example the Radius authentication protocol commonly used for Wi-Fi can command a switch to put a particular user into a particular vlan based on their credentials to limit access to restricted parts of the network. See also Cisco: Understanding VLAN Trunk Protocol (VTP) BNT BladeOS 6.5 CLI Command Reference Juniper: Configuring VLANs for EX-series Switches External Links IEEE 802.1Q 2005 Wikipedia 802.1Q IEEE 802.1ak - Multiple Registration Protocol Category:All